Linux 5.9: Seccomp Notifier, RISC-V and DebugFS
-
The Seccomp Notifier - Cranking up the crazy with bpf()
The 2. feature just landed in the merge window for v5.9. So what better time than now to boot a v5.9 pre-rc1 kernel and play with the new features.
I said that these features make it possible to intercept syscalls that return file descriptors or that pass file descriptors to the kernel. Syscalls that come to mind are open(), connect(), dup2(), but also bpf(). People that read the first blogpost might not have realized how crazy^serious one can get with these two new features so I thought it be a good exercise to illustrate it. And what better victim than bpf().
As we know, bpf() and unprivileged containers don't get along too well. But that doesn't need to be the case. For the demo you're about to see I enabled LXD to supervise the bpf() syscalls for tasks running in unprivileged containers. We will intercept the bpf() syscalls for the BPF_PROG_LOAD command for BPF_PROG_TYPE_CGROUP_DEVICE program types and the BPF_PROG_ATTACH, and BPF_PROG_DETACH commands for the BPF_CGROUP_DEVICE attach type. This allows a nested unprivileged container to load its own device profile in the cgroup2 hierarchy.
-
RISC-V Software Support Adds More Features With Linux 5.9
More kernel architecture features continue to be supported by the RISC-V code with Linux 5.9.
Each kernel cycle we have been seeing more RISC-V code get squared away and over the past year has begun running nicely on the likes of SiFive's HiFive Unleashed.
-
Linux 5.9 Exposes Device Link Details Via Sysfs, Allows Hiding DebugFS From User-Space
There are a few driver core changes for the Linux 5.9 kernel worth mentioning.
Exciting changes to the core driver infrastructure for the mainline Linux kernel are rare though this time around are a few alterations worth pointing out:
- The recently covered work by Sony on being able to allow restricting user-space access to DebugFS while keeping the debug feature enabled is in Linux 5.9. While most distributions / Linux configurations already restrict DebugFS access to root / admin privileges, as this file-system often exposes sensitive system information, the change by Sony allows for it to be initialized but not accessible from user-space. Sony's focus on this effort appears to be in line of further securing their Android smartphones.
-
